Comments on this page are supposed to improve article content and no technical support is provided. For technical questions, please visit project home page at: https://pspki.codeplex.com/

Add-CAAccessControlEntry

Add-CAAccessControlEntry

Synopsis

Adds new Access Control Entry (ACE) to a Certification Authority's Access Control List (ACL).

Syntax

Add-CAAccessControlEntry [-InputObject] <CASecurityDescriptor[]> [[-AccessControlEntry] <CertificationAuthorityAccessRule[]>] [<CommonParameters>]

Description

Adds new Access Control Entry (ACE) to a Certification Authority's Access Control List (ACL).

This command performs ACL object change. Use Set-CASecurityDescriptor to write modified ACL to CA configuration.

Note: CA security descriptor supports only one ACE per user. Therefore, if added user account already has explicit permissions on CA server, new ACE will not be added.

Parameters

-InputObject <CASecurityDescriptor[]>

Specifies the current access control list (ACL) object to modify. This object can be retrieved by running either, Get-CASecurityDescriptor or Remove-CAAccessControlEntry commands.

Required? True
Position? 0
Default value  
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-AccessControlEntry <CertificationAuthorityAccessRule[]>

Specifies the new access control entry object to add.

Required? False
Position? 1
Default value  
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.Security.AccessControl.CASecurityDescriptor

Outputs

PKI.Security.AccessControl.CASecurityDescriptor

Notes

Author: Vadims Podans
Blog: https://www.sysadmins.lv

Examples

Example 1

PS C:\> $ACE = @(New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"JohnWayne"), "ManageCA", "Allow")
PS C:\> $ACE += New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCertificates", "Allow"
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Add-CAAccessControlEntry -AccessControlEntry $ACE | Set-CASecurityDescriptor -RestartCA

First two lines create new access control entries: -- first creates ACE for John Wayne and grants him CA manager permissions. -- second creates ACE for John Smith and grants him certificate manager permissions. Third line retrieves current ACL from CA server, adds new access control entries and writes them to CA configuration. After command completion CA services will be restarted to immediately apply changes. Note that if ACL already contains entry for user account to be added, new ACE will not be added. Instead, use techniques described in Example 2.

Example 2

PS C:\> $ACE = New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCA", "Allow")
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Remove-CAAccessControlEntry -User "jsmith" | Add-CAAccessControlEntry -AccessControlEntry $ACE | Set-CASecurityDescriptor -RestartCA

This example demonstrates techniques to change permissions explicitly granted to a user. In a given example, first line creates new access control entry for John Smith. Second line retrieves access control list from CA server, removes all permissions granted to John Smith and adds new access control entry.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-CASecurityDescriptor
Remove-CAAccessControlEntry
Set-CASecurityDescriptor

PowerShell Support

  • PowerShell 3.0

Operating System Support

  • Windows Server 2003 all editions
  • Windows Server 2008 all editions
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions

Comments:

Captcha